Jump to content
MiloSZ

ONVIF security issue.

Recommended Posts

Bit of a heads up about a bit of a disconcerting security issue in some ONVIF IP cameras.

 

I had my eye on some low cost, Chinese OEM IP cameras because they have good NAS compatibility (claimed Synology). They are branded as IPS, Uvision, Gsvision, Sunvision, Aote among others. I was willing to put up with the clunky ActiveX interface because I figured I'd only have to configure them once and would be viewing the video through the NAS/NVR interface.

 

Everything went fairly smoothly- I set the time, IP address, changed the password- and when I went to log back in it would not accept the same one copied and pasted. No problem- went for the old reset button and… no reset button.

 

So I emailed the Chinese manufacturer, they asked for me to give their technician access to my computer via TeamViewer so he could reset it- I said that was not really an acceptable solution. So they sent me the default, hard-written to firmware, root password for their cameras so I could just remotely log-in and hard-reset the camera over telnet.

 

That's right, there's a root user, but you can't change the password.

 

Yeah- not too happy about that.

 

I spent a few days going back and forth with them- explaining why, with these cameras in homes and businesses all over the world this was a Bad Thing. Either they were playing dumb and had to have it for the Powers That Be (as has been documented with other network products of similar origin), or else they truly think it's ok. Their attitude was basically that they had made a mistake in giving it to me- and not in having one in the first place. Their "fix" was a promise to change the hard-written root pass in future firmware revisions. Given that the password is sent to the camera in plaintext, it's hardly likely the new one would remain secret for long.

 

(In case you are wondering, even after a few hard reset cycles the camera would still not accept a new admin password but that is no longer really a concern for me.)

 

All this seems a bit insane. As we all know few LANs are very secure- wifi is not tough to crack, we all password protect our computers and NASs against this eventuality. As it stands, anyone with access to the LAN that these cameras are on can take them all offline with a few keystrokes, or reset the admin password, restore the original IP and leave anonymous access on- so the owner would never know they had been compromised. Or set them to forward images to an outside location.

 

As far as cameras that are accessible via the Internet, many people will not change the cameras default IP- which means that even on reset it won't lose its port mapping and video could be viewed by anyone, anywhere. At the very least they could still disable it. Other than that, root is root and someone with better Linux skills could probably make more of it.

 

I'm posting this because as we all know there is no security in obscurity- and if they could accidentally just email me the root pass this is far from obscure. People have these cameras pointed at playgrounds and in private homes- hoping they don't give the password to anyone else (or that it is not already being used) is not really an option in my opinion. I would never consider installing a camera with this kind of known backdoor- perhaps others feel differently.

 

If you'd like to check your camera, here is the information:

 

1. Telnet XXX.XXX.XXX.XXX (whatever IP address the camera has, there are

several tools to discover this)

username: root

password: rockTeco

 

2. Paste below info:

TMPCONF=$(sed  '/conf/!d' /proc/mtd |awk -F':' '{print $1}')
/home/flash_eraseall /dev/$TMPCONF
rm -fr /etc/ui.conf
reboot

 

3. After the reboot the IP address will return to: 192.168.1.128

username: admin

password: admin

Share this post


Link to post
Share on other sites

just out of curiosity I checked that login against my Dahua cameras and it does not work.

 

I also changed the default passwords for all the default users for each of my cameras, but it wasn't the first thing I did so it's easy to overlook.

 

Dahua's come with 3 default accounts so go login and change those default passwords!

Share this post


Link to post
Share on other sites

I agree, it doesn't seem to be a ONVIF vulnerability, but rather just a problem with that particular line of cameras- and it's not the first, see http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html for another example.

 

Also, probably won't be the last, either- I'm fairly certain most cameras and VMS'es aren't tested for vulnerabilities the way most mass-market apps and devices are.....

 

Thanks for the heads up, though.

Share this post


Link to post
Share on other sites
just out of curiosity I checked that login against my Dahua cameras and it does not work.

 

I also changed the default passwords for all the default users for each of my cameras, but it wasn't the first thing I did so it's easy to overlook.

 

Dahua's come with 3 default accounts so go login and change those default passwords!

don't be so ****y

 

DAHUA's UI (user interface) passwords are different from low level passwords (Embedded root access Linux)

 

but still...

Share this post


Link to post
Share on other sites

If you have an IP camera accessible with telnet from the outside world (or anything else that should not be) I think that the main problem is not that there is a default password to reset the camera, but how your network is set up.

 

And as it has been said, this has nothing to do with ONVIF.

Share this post


Link to post
Share on other sites

If I do a port scan of my Dahua camera it shows port 23 is open for telnet. Should that port be open? How would you telnet into the camera on a Mac, I'm interested in seeing if the back door posted above works?

Share this post


Link to post
Share on other sites
If I do a port scan of my Dahua camera it shows port 23 is open for telnet. Should that port be open? How would you telnet into the camera on a Mac, I'm interested in seeing if the back door posted above works?

 

Yes, it does work if you have the password.

Share this post


Link to post
Share on other sites

Not Dahua by name, but with the Costco Q-See 7001, through its onvif API, I can access the camera without authenticating. That would be snapshots, streams, system reboot, even a factory reset, free to the world. If for some reason I wanted to authenticate, admin/admin always works the first time, and after a reboot (no persisting). Lots of onvif things that should work don't seem to work, either. All I wanted was a way to reboot the camera, but I got that and a lot more (that I didn't).

Share this post


Link to post
Share on other sites

Dahua has similar configuration vulnerability via telnet you can access the camera.

username: root

password: vizxv

Share this post


Link to post
Share on other sites
I'm sure there are backdoors put in by a software engineer in just about any product.

 

Actually if the product is used by the government, military, or financial industry this will not fly, and they do pretty exhaustive testing for this kind of thing.

 

We actually have had to do firmware updates for fairly old devices to switch them away from having static passwords, in order to pass govt/military JITC tests.

 

Personally I would not deploy a device with a static (and known) root password in my wife's small dental practice, let alone a larger business.

 

I also agree that the thread is poorly titled. This is not an ONVIF security issue, this is an issue with low end manufacturers equipment.

 

If they have a default static password that you can change, that is fine. If you can reset the camera with a physical button, that's fine too.... but having a hard-coded firmware level backdoor password that can't be disabled or changed is a big no-no.

Share this post


Link to post
Share on other sites

Why nobody surprised about analog CCTV cameras VULNERABILITY? Just connect any analog monitor, and vualia

First of all, protect Yours network.

Share this post


Link to post
Share on other sites

That's a physical security vulnerability, vs a data security vulnerability.

 

To tap into an analog cam, you have to physically be on location; to tap into a network backdoor, you just need network access, from anywhere in the world. Forward the camera port for external access, and the backdoor lets anyone in.

 

A good rule of thumb: Once the adversary has physical access to your equipment, your security is compromised.

Share this post


Link to post
Share on other sites
I'm sure there are backdoors put in by a software engineer in just about any product.

 

Actually if the product is used by the government, military, or financial industry this will not fly, and they do pretty exhaustive testing for this kind of thing.

 

We actually have had to do firmware updates for fairly old devices to switch them away from having static passwords, in order to pass govt/military JITC tests.

 

Personally I would not deploy a device with a static (and known) root password in my wife's small dental practice, let alone a larger business.

 

I also agree that the thread is poorly titled. This is not an ONVIF security issue, this is an issue with low end manufacturers equipment.

 

If they have a default static password that you can change, that is fine. If you can reset the camera with a physical button, that's fine too.... but having a hard-coded firmware level backdoor password that can't be disabled or changed is a big no-no.

 

Having the port open and telnet running is the first bad idea. Its obvious there are all sorts of security simple security issues with Dahuas stuff. I'm sure the API and web interface is riddled with them as well.

Share this post


Link to post
Share on other sites

Doesn't anyone have concerns about these backdoors or are you just trunk slammers installing cheapazz cameras?

 

You call yourself a security technician then discover a vulnerablity and look the other way? Like Yakdude say's that don't fly.

Share this post


Link to post
Share on other sites

You would think that a notarized registered letter sent to a number of branches of these companies outlining their now well-known vulnerabilities might fix things in a hurry. Potential legal liability generally scares the bejeebers out of a company once it has been shown that a dangerous problem exists.

Share this post


Link to post
Share on other sites
You would think that a notarized registered letter sent to a number of branches of these companies outlining their now well-known vulnerabilities might fix things in a hurry. Potential legal liability generally scares the bejeebers out of a company once it has been shown that a dangerous problem exists.

 

How good is your Chinese?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×